Merge pull request #1072 from wallabag/v2-entry-test

Add more tests to Entry controller + security

app/build.xml

@@ -38,7 +38,6 @@
             <arg value="${basedir}/../app/console"/>
             <arg value="doctrine:fixtures:load"/>
             <arg value="--no-interaction"/>
-            <arg value="--purge-with-truncate"/>
             <arg value="--env=test"/>
         </exec>
     </target>

src/Wallabag/CoreBundle/Controller/EntryController.php

@@ -13,7 +13,9 @@ class EntryController extends Controller
 {
     /**
      * @param Request $request
+     *
      * @Route("/new", name="new_entry")
+     *
      * @return \Symfony\Component\HttpFoundation\Response
      */
     public function addEntryAction(Request $request)
@@ -54,6 +56,7 @@ class EntryController extends Controller
      * Shows unread entries for current user
      *
      * @Route("/unread", name="unread")
+     *
      * @return \Symfony\Component\HttpFoundation\Response
      */
     public function showUnreadAction()
@@ -73,6 +76,7 @@ class EntryController extends Controller
      * Shows read entries for current user
      *
      * @Route("/archive", name="archive")
+     *
      * @return \Symfony\Component\HttpFoundation\Response
      */
     public function showArchiveAction()
@@ -92,6 +96,7 @@ class EntryController extends Controller
      * Shows starred entries for current user
      *
      * @Route("/starred", name="starred")
+     *
      * @return \Symfony\Component\HttpFoundation\Response
      */
     public function showStarredAction()
@@ -111,11 +116,15 @@ class EntryController extends Controller
      * Shows entry content
      *
      * @param Entry $entry
+     *
      * @Route("/view/{id}", requirements={"id" = "\d+"}, name="view")
+     *
      * @return \Symfony\Component\HttpFoundation\Response
      */
     public function viewAction(Entry $entry)
     {
+        $this->checkUserAction($entry);
+
         return $this->render(
             'WallabagCoreBundle:Entry:entry.html.twig',
             array('entry' => $entry)
@@ -127,11 +136,15 @@ class EntryController extends Controller
      *
      * @param Request $request
      * @param Entry   $entry
+     *
      * @Route("/archive/{id}", requirements={"id" = "\d+"}, name="archive_entry")
+     *
      * @return \Symfony\Component\HttpFoundation\RedirectResponse
      */
     public function toggleArchiveAction(Request $request, Entry $entry)
     {
+        $this->checkUserAction($entry);
+
         $entry->toggleArchive();
         $this->getDoctrine()->getManager()->flush();
 
@@ -148,11 +161,15 @@ class EntryController extends Controller
      *
      * @param Request $request
      * @param Entry   $entry
+     *
      * @Route("/star/{id}", requirements={"id" = "\d+"}, name="star_entry")
+     *
      * @return \Symfony\Component\HttpFoundation\RedirectResponse
      */
     public function toggleStarAction(Request $request, Entry $entry)
     {
+        $this->checkUserAction($entry);
+
         $entry->toggleStar();
         $this->getDoctrine()->getManager()->flush();
 
@@ -169,15 +186,17 @@ class EntryController extends Controller
      *
      * @param Request $request
      * @param Entry   $entry
+     *
      * @Route("/delete/{id}", requirements={"id" = "\d+"}, name="delete_entry")
+     *
      * @return \Symfony\Component\HttpFoundation\RedirectResponse
      */
     public function deleteEntryAction(Request $request, Entry $entry)
     {
-        $em = $this->getDoctrine()->getManager();
+        $this->checkUserAction($entry);
+
         $entry->setDeleted(1);
-        $em->persist($entry);
+        $this->getDoctrine()->getManager()->flush();
-        $em->flush();
 
         $this->get('session')->getFlashBag()->add(
             'notice',
@@ -186,4 +205,16 @@ class EntryController extends Controller
 
         return $this->redirect($request->headers->get('referer'));
     }
+
+    /**
+     * Check if the logged user can manage the given entry
+     *
+     * @param Entry $entry
+     */
+    private function checkUserAction(Entry $entry)
+    {
+        if ($this->getUser()->getId() != $entry->getUser()->getId()) {
+            throw $this->createAccessDeniedException('You can not use this entry.');
+        }
+    }
 }

src/Wallabag/CoreBundle/DataFixtures/ORM/LoadEntryData.php

@@ -16,13 +16,32 @@ class LoadEntryData extends AbstractFixture implements OrderedFixtureInterface
     {
         $entry1 = new Entry($this->getReference('admin-user'));
         $entry1->setUrl('http://0.0.0.0');
-        $entry1->setTitle('test title');
+        $entry1->setTitle('test title entry1');
         $entry1->setContent('This is my content /o/');
 
         $manager->persist($entry1);
-        $manager->flush();
 
         $this->addReference('entry1', $entry1);
+
+        $entry2 = new Entry($this->getReference('admin-user'));
+        $entry2->setUrl('http://0.0.0.0');
+        $entry2->setTitle('test title entry2');
+        $entry2->setContent('This is my content /o/');
+
+        $manager->persist($entry2);
+
+        $this->addReference('entry2', $entry2);
+
+        $entry3 = new Entry($this->getReference('bob-user'));
+        $entry3->setUrl('http://0.0.0.0');
+        $entry3->setTitle('test title entry3');
+        $entry3->setContent('This is my content /o/');
+
+        $manager->persist($entry3);
+
+        $this->addReference('entry3', $entry3);
+
+        $manager->flush();
     }
 
     /**

src/Wallabag/CoreBundle/DataFixtures/ORM/LoadUserData.php

@@ -15,13 +15,26 @@ class LoadUserData extends AbstractFixture implements OrderedFixtureInterface
     public function load(ObjectManager $manager)
     {
         $userAdmin = new User();
+        $userAdmin->setName('Big boss');
+        $userAdmin->setEmail('bigboss@wallabag.org');
         $userAdmin->setUsername('admin');
         $userAdmin->setPassword('test');
 
         $manager->persist($userAdmin);
-        $manager->flush();
 
         $this->addReference('admin-user', $userAdmin);
+
+        $bobUser = new User();
+        $bobUser->setName('Bobby');
+        $bobUser->setEmail('bobby@wallabag.org');
+        $bobUser->setUsername('bob');
+        $bobUser->setPassword('test');
+
+        $manager->persist($bobUser);
+
+        $this->addReference('bob-user', $bobUser);
+
+        $manager->flush();
     }
 
     /**

src/Wallabag/CoreBundle/Repository/EntryRepository.php

@@ -2,7 +2,6 @@
 
 namespace Wallabag\CoreBundle\Repository;
 
-use Doctrine\ORM\Query;
 use Doctrine\ORM\EntityRepository;
 use Doctrine\ORM\Tools\Pagination\Paginator;
 

src/Wallabag/CoreBundle/Tests/Controller/EntryControllerTest.php

@@ -3,6 +3,7 @@
 namespace Wallabag\CoreBundle\Tests\Controller;
 
 use Wallabag\CoreBundle\Tests\WallabagTestCase;
+use Doctrine\ORM\AbstractQuery;
 
 class EntryControllerTest extends WallabagTestCase
 {
@@ -10,7 +11,7 @@ class EntryControllerTest extends WallabagTestCase
     {
         $client = $this->getClient();
 
-        $crawler = $client->request('GET', '/new');
+        $client->request('GET', '/new');
 
         $this->assertEquals(302, $client->getResponse()->getStatusCode());
         $this->assertContains('login', $client->getResponse()->headers->get('location'));
@@ -18,7 +19,7 @@ class EntryControllerTest extends WallabagTestCase
 
     public function testGetNew()
     {
-        $this->logIn();
+        $this->logInAs('admin');
         $client = $this->getClient();
 
         $crawler = $client->request('GET', '/new');
@@ -31,7 +32,7 @@ class EntryControllerTest extends WallabagTestCase
 
     public function testPostNewEmpty()
     {
-        $this->logIn();
+        $this->logInAs('admin');
         $client = $this->getClient();
 
         $crawler = $client->request('GET', '/new');
@@ -49,7 +50,7 @@ class EntryControllerTest extends WallabagTestCase
 
     public function testPostNewOk()
     {
-        $this->logIn();
+        $this->logInAs('admin');
         $client = $this->getClient();
 
         $crawler = $client->request('GET', '/new');
@@ -74,27 +75,27 @@ class EntryControllerTest extends WallabagTestCase
 
     public function testArchive()
     {
-        $this->logIn();
+        $this->logInAs('admin');
         $client = $this->getClient();
 
-        $crawler = $client->request('GET', '/archive');
+        $client->request('GET', '/archive');
 
         $this->assertEquals(200, $client->getResponse()->getStatusCode());
     }
 
     public function testStarred()
     {
-        $this->logIn();
+        $this->logInAs('admin');
         $client = $this->getClient();
 
-        $crawler = $client->request('GET', '/starred');
+        $client->request('GET', '/starred');
 
         $this->assertEquals(200, $client->getResponse()->getStatusCode());
     }
 
     public function testView()
     {
-        $this->logIn();
+        $this->logInAs('admin');
         $client = $this->getClient();
 
         $content = $client->getContainer()
@@ -102,13 +103,96 @@ class EntryControllerTest extends WallabagTestCase
             ->getRepository('WallabagCoreBundle:Entry')
             ->findOneByIsArchived(false);
 
-        if (!$content) {
+        $client->request('GET', '/view/'.$content->getId());
-            $this->markTestSkipped('No content found in db.');
-        }
-
-        $crawler = $client->request('GET', '/view/'.$content->getId());
 
         $this->assertEquals(200, $client->getResponse()->getStatusCode());
         $this->assertContains($content->getTitle(), $client->getResponse()->getContent());
     }
+
+    public function testToggleArchive()
+    {
+        $this->logInAs('admin');
+        $client = $this->getClient();
+
+        $content = $client->getContainer()
+            ->get('doctrine.orm.entity_manager')
+            ->getRepository('WallabagCoreBundle:Entry')
+            ->findOneByIsArchived(false);
+
+        $client->request('GET', '/archive/'.$content->getId());
+
+        $this->assertEquals(302, $client->getResponse()->getStatusCode());
+
+        $res = $client->getContainer()
+            ->get('doctrine.orm.entity_manager')
+            ->getRepository('WallabagCoreBundle:Entry')
+            ->findOneById($content->getId());
+
+        $this->assertEquals($res->isArchived(), true);
+    }
+
+    public function testToggleStar()
+    {
+        $this->logInAs('admin');
+        $client = $this->getClient();
+
+        $content = $client->getContainer()
+            ->get('doctrine.orm.entity_manager')
+            ->getRepository('WallabagCoreBundle:Entry')
+            ->findOneByIsStarred(false);
+
+        $client->request('GET', '/star/'.$content->getId());
+
+        $this->assertEquals(302, $client->getResponse()->getStatusCode());
+
+        $res = $client->getContainer()
+            ->get('doctrine.orm.entity_manager')
+            ->getRepository('WallabagCoreBundle:Entry')
+            ->findOneById($content->getId());
+
+        $this->assertEquals($res->isStarred(), true);
+    }
+
+    public function testDelete()
+    {
+        $this->logInAs('admin');
+        $client = $this->getClient();
+
+        $content = $client->getContainer()
+            ->get('doctrine.orm.entity_manager')
+            ->getRepository('WallabagCoreBundle:Entry')
+            ->findOneByIsDeleted(false);
+
+        $client->request('GET', '/delete/'.$content->getId());
+
+        $this->assertEquals(302, $client->getResponse()->getStatusCode());
+
+        $res = $client->getContainer()
+            ->get('doctrine.orm.entity_manager')
+            ->getRepository('WallabagCoreBundle:Entry')
+            ->findOneById($content->getId());
+
+        $this->assertEquals($res->isDeleted(), true);
+    }
+
+    public function testViewOtherUserEntry()
+    {
+        $this->logInAs('bob');
+        $client = $this->getClient();
+
+        $content = $client->getContainer()
+            ->get('doctrine.orm.entity_manager')
+            ->getRepository('WallabagCoreBundle:Entry')
+            ->createQueryBuilder('e')
+            ->select('e.id')
+            ->leftJoin('e.user', 'u')
+            ->where('u.username != :username')->setParameter('username', 'bob')
+            ->setMaxResults(1)
+            ->getQuery()
+            ->getSingleResult(AbstractQuery::HYDRATE_ARRAY);
+
+        $client->request('GET', '/view/'.$content['id']);
+
+        $this->assertEquals(403, $client->getResponse()->getStatusCode());
+    }
 }

src/Wallabag/CoreBundle/Tests/WallabagTestCase.php

@@ -18,12 +18,12 @@ class WallabagTestCase extends WebTestCase
         $this->client = static::createClient();
     }
 
-    public function logIn()
+    public function logInAs($username)
     {
         $crawler = $this->client->request('GET', '/login');
         $form = $crawler->filter('button[type=submit]')->form();
         $data = array(
-            '_username' => 'admin',
+            '_username' => $username,
             '_password' => 'test',
         );